http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c1 Dr. Werner Fink changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Dr. Werner Fink --- Maintainer of socat is meissner@suse.com ;) -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c3 --- Comment #3 from Marcus Meissner --- what command line args do you try? I think this is intended actually, as it should have the right permissions on creation. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c5 --- Comment #5 from Dr. Werner Fink --- Btw: My solution is setcap cap_chown+ep /usr/bin/screen setcap cap_chown+ep /usr/bin/socat as root. Similar for ping and ping6 with cap_net_raw+ep -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c7 Dr. Werner Fink changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com --- Comment #7 from Dr. Werner Fink --- (In reply to Marcus Meissner from comment #6) Hmm ... pty usage should be possible for progams which depends on pty. Not only xterm, konsole lxterminal. gnome-terminal, but also screen and socat and some other programs do depend on that. You can not use screen and socat without. Btw. for /usr/bin/ping and /usr/bin/ping6 I've set cap_net_raw+ep as otherwise those two programs are useless and should not stay below /usr/bin/ but in /usr/sbin/. IMHO this requires an extension of the concept of /etc/permissions to be able to set capabilities ... with this we might remove capabilities in the secure and paranoid, but add them in default and/or easy. Such an extension coould be # Format: # <file> <owner>:<group> <permission> [] that means an optional fourth column to set capabilities or if absent to remove any capabilities -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c9 --- Comment #9 from Dr. Werner Fink --- (In reply to Ludwig Nussel from comment #8) The openpty(3) code of the glibc does a chown on the resulting /dev/pts/<num> and this return with EPERM. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c11 --- Comment #11 from Dr. Werner Fink --- (In reply to Ludwig Nussel from comment #10) This does not solve the problem on Leap 42.1 where opentty(3) does a chown(2) ... btw: I've running a Leap 42.2 here in a VM and ... let's see ... OK for werner via NIS it does not, but for the local user linux 27408 open("/dev/ptmx", O_RDWR) = 5 27408 statfs("/dev/pts", {f_type="DEVPTS_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 27408 rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, {0x406510, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, 8) = 0 27408 ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0 27408 ioctl(5, TIOCGPTN, [1]) = 0 27408 stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 27408 ioctl(5, TCGETS, {B38400 opost isig icanon echo ...}) = 0 27408 ioctl(5, TIOCGPTN, [1]) = 0 27408 stat("/dev/pts/1", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 27408 getuid() = 1000 27408 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 6 27408 connect(6, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = 0 27408 sendto(6, "\2\0\0\0\f\0\0\0\6\0\0\0group\0", 18, MSG_NOSIGNAL, NULL, 0) = 18 27408 poll([{fd=6, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 ([{fd=6, revents=POLLIN|POLLHUP}]) 27408 recvmsg(6, {msg_name(0)=NULL, msg_iov(2)=[{"group\0", 6}, {"\310O\3\0\0\0\0\0", 8}], msg_controllen=20, [{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, [7]}], msg_fla gs=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 14 27408 mmap(NULL, 217032, PROT_READ, MAP_SHARED, 7, 0) = 0x7f20618ad000 27408 close(7) = 0 27408 close(6) = 0 27408 ioctl(5, TIOCSPTLCK, [0]) = 0 27408 rt_sigaction(SIGCHLD, {0x406510, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, {SIG_DFL, [], SA_RESTORER|SA_RESTART, 0x7f2060c9b950}, 8) = 0 27408 ioctl(5, TCFLSH, 0x2) = 0 27408 ioctl(5, TIOCPKT, [1]) = 0 27408 fcntl(5, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 27408 ioctl(5, TCFLSH, 0x2) = 0 27408 chown("/dev/pts/1", 1000, 5) = 0 27408 chmod("/dev/pts/1", 0620) = 0 27408 brk(0xf77000) = 0xf77000 and at exit 27408 access("/var/run/utmpx", F_OK) = -1 ENOENT (No such file or directory) 27408 open("/var/run/utmp", O_RDONLY|O_CLOEXEC) = 6 27408 lseek(6, 0, SEEK_SET) = 0 27408 alarm(0) = 0 27408 rt_sigaction(SIGALRM, {0x7f2060d836b0, [], SA_RESTORER, 0x7f2060c9b950}, {SIG_DFL, [], 0}, 8) = 0 27408 alarm(10) = 0 27408 fcntl(6, F_SETLKW, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = 0 27408 read(6, "\2\0\0\0\0\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "\7\0\0\0(\f\0\0tty1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "\1\0\0\0005\0\0\0~\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "\10\0\0\0\375j\0\0pts/1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 384) = 384 27408 read(6, "", 384) = 0 27408 fcntl(6, F_SETLKW, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}) = 0 27408 alarm(0) = 10 27408 rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f2060c9b950}, NULL, 8) = 0 27408 chmod("/dev/pts/1", 0666) = 0 27408 chown("/dev/pts/1", 0, 0) = -1 EPERM (Operation not permitted) there is a chown -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c13 --- Comment #13 from Ludwig Nussel --- me too :-) Sounds like a bug somewhere -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1004049 http://bugzilla.suse.com/show_bug.cgi?id=1004049#c19 Tomáš Chvátal changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #19 from Tomáš Chvátal --- This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime -- You are receiving this mail because: You are on the CC list for the bug.